SANS Digital Forensics and Incident Response Blog

In the past years, I have seen many many false and misleading statements about what is needed to securely erase or wipe a hard drive. The FUD surrounding this topic with many still purporting to have a means of recovering data using SEMs and AFM (electron microscopy will do) is incredible.

The problem is that it hurts us all.This year alone (and we are not even through the first month) I have read supposedly reputable security professionals stating that X-Ray machines and scanners will erase a drive. I have read how you need to use a forklift to drive over them.

With the help of a few colleges, I tested the theory (as that was all it ever was) that a SEM or AFM could be used to recover data. There is a reason that NO organization has ever done this, it is not possible. Science is based on empirical testing. Before that point it is not science and is just a hypothesis. Data recovery from a single wipe is not possible. It is up to those who sell the snake oil to prove it. This is science people.As for a couple of the other versions of FUD in drive wiping I noted?

An airport body scanner will do nothing to any hard drive. I travel several times a year and I am yet to lose any data from an airport scanner.

Driving over a drive with a roller (let alone a fork lift) will not damage all the platters and will leave a good level of recovery in most instances. The drive is not always crushed. Using a 2.5 tonne roller, I was able to recover the platters from 45% of drives without trying too hard.

And the Government cannot read your wiped drives either?"Although somebody like the NSA might be able to use some sort of system to read the magnetic markings on the rest of the platter."No, they cannot. The NSA does not do this, I hate these silly conspiracy theories. FUD hurts us all! Modern drives use a glass platter with a foil coating. They shatter with the right impact. They do not need to be broken though. They just need to have a secure process to wipe the information?

A secure process to wipe hard drives exists!The simplest manner is to use the wipe function in the drive. On an ATA, SATA, PATA etc drive there is the firmware Secure Erase command. This is also supported in all good SCSI drives. Not all SCSI and Fibre Channel disk drives support a "Fast SecureErase" capability, but all good modern versions have an Erase function.

Secure Erase (SE) is a positive, simple data destruction process. It is in effect "Electronic data shredding." SE completely erases all possible data areas on a supported drive (and it is difficult to find platter based drives that do not support this command set any more) by overwriting.

A full erase using SE can take 30 minutes to over an hour to complete. The thing is that the drive will restart the wipe if it is power cycled. So just restarting the host will not stop the process.

To ensure that a user cannot take the platter and move it to another drive case (and new firmware) the Fast SE complete phase changes a key and effectively makes the drive unrecoverable in our lifetime.

Basically it is quick. It is non-recoverable. It saves all the BS. It removes the need for the FUD that still surrounds us.

The process is simple:1.The user wanting to wipe the drive issues the SE security commanda.Set User Password, Security =Maximum (Master Password = Blank)2. The drive completes a Fast SE process and changes an encryption key locking the drive3.The SE process is run to do an in-depth wipe (taking 30 minutes to over an hour)4.The drive is wiped and ready to use.

Once the SE security wipe starts, it cannot be stopped.The BS and that is what it is around small bits of information being recovered using microscopy from shattered drives is also FUD. Think for a moment, what is there on an isolated 512bit section of drive that you randomly select that you can actually use?

So, how do I wipe my drive?The utility hdparm [1] will allow this (replace /dev/sda with the drive you seek to wipe).1Make sure you are logged into the system as root. You can use a boot disk.2Issue the hdparm command as root and check the drive is not security frozena.hdparm -I /dev/sdab.The result should contain the words "not frozen"3Issue the command toa.hdparm -user-master u -security-set-pass Eins /dev/sda4Confirm the processa.hdparm -I /dev/sdab.look for the word "enabled" in the output5 Issue the AT SE commanda.hdparm -user-master u -security-erase Eins /dev/sda6When the drive is erased, the output verification will return "not enabled", check using the command:a.hdparm -I /dev/sda

Craig Wright is a Director with Information Defense in Australia. He holds both the GSE, GSE-Malware and GSE-Compliance certifications from GIAC. He is a perpetual student with numerous post graduate degrees including an LLM specializing in international commercial law and ecommerce law, A Masters Degree in mathematical statistics from Newcastle as well as working on his 4th IT focused Masters degree (Masters in System Development) from Charles Stuart University where he lectures subjects in a Masters degree in digital forensics. He is writing his second doctorate, a PhD on the quantification of information system risk at CSU.

8 Comments

Paul sanderson

Hear hear ''" I have been saying this for many years and even released a tool about 10 years ago (BXDR) to secure erase IDE hard drives using the ATA security protocols (which have been around since ATA3)

Eric

Rob Dewhirst

Thanks for posting this. I didn't know the drive would pick up where it left off if the host cycled. That would have saved me a lot of time.Secure ATA erase is the fastest and most secure way to erase a drive, but it is far from easy. I have seen drives that will not unfreeze, and there are some bugs in hdparm < 9.31 that will cause timeout with large drives. The last time I checked most distros had much older versions of hdparm, so in most of them you will have to update hdparm yourself.You also need raw access to the ATA drive so you can't use USB, FW, or a VM to do this (prove me wrong on the latter, please). I use an eSATA dock just fine though.Another nice thing is that hdparm will show you a time estimate for secure erase before you start. It seems to me that estimate is accurate within a few mins. 1TB = 4 hours.https://ata.wiki.kernel.org/index.php/ATA_Secure_Erase

Albert

Huh?"This is science people." what is, you mean: "With the help of a few colleges (sic), I tested the theory (as that was all it ever was) that a SEM or AFM could be used to recover data.". Ummm, can we see some results? Some experimental evidence? A paper? You want to see science, how about:Well me and a few physicist buddies had a few beers and grabbed the lab's AFM, and we are pretty sure we could recover data after a wipe.If you are going to talk in scientific terms, do so. This article is a long way removed from science. I'm not disagreeing with the sentiment of this article, but it does nothing to add scientific weight to the debate.

Craig S Wright

The paper has been linked here before''# ^ Wright, Craig; Kleiman, Dave; Sundhar R.S., Shyaam (December 2008). "Overwriting Hard Drive Data: The Great Wiping Controversy". Lecture Notes in Computer Science (Springer Berlin / Heidelberg). doi:10.1007/978-3-540-89862-7_21. ISBN 978-3-540-89861-0. The weight is he published paper. This was research completed nearly 2.5 years ago. So it is not new anymore.

Craig S Wright

CMRR have done a number of studies and you can look up the papers from this lab as well. Basically, our research was re-preformed (as scientific process dictates) by an independent group with essentially the same results.So can we put the conspiracy theories to rest?

WebDawg

You should never set a password to blank or NULL. Read here:If the SECURITY ERASE fails, use ''"disable-security to set your drive back to normal. Do not set the password to an empty string or NULL. The Lenovo BIOS at least will not allow you to change the password if it's blank. It also freezes the drive so that you can't change the password later, after booting into an OS. I'm now stuck with three drives that are passworded and I cannot unpassword. I finally found a board with a Phoenix TrustedCore BIOS which does allow clearing an empty password ''" Chris. From:https://ata.wiki.kernel.org/index.php?title=ATA_Secure_Erase